[
https://issues.apache.org/jira/browse/PHOENIX-6579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Soldatov resolved PHOENIX-6579.
--------------------------------------
Fix Version/s: 5.1.3
Resolution: Fixed
> ACL check doesn't honor the namespace mapping for mapped views.
> ---------------------------------------------------------------
>
> Key: PHOENIX-6579
> URL: https://issues.apache.org/jira/browse/PHOENIX-6579
> Project: Phoenix
> Issue Type: Bug
> Components: core
> Affects Versions: 5.1.2
> Reporter: Sergey Soldatov
> Assignee: Sergey Soldatov
> Priority: Major
> Fix For: 5.1.3
>
>
> When the namespace mapping and ACLs are enabled and the user tries to create
> a view on top of the existing HBase table, the query would fail if he doesn't
> have permissions for the default namespace.
> {noformat}
> *Error: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> permissions (user=admin/ad...@example.com, scope=default:my_ns.my_table,
> action=[READ])
> at
> org.apache.phoenix.coprocessor.PhoenixAccessController.requireAccess(PhoenixAccessController.java:606)
> at
> org.apache.phoenix.coprocessor.PhoenixAccessController.preCreateTable(PhoenixAccessController.java:201)
> at
> org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:171)
> at
> org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$2.call(PhoenixMetaDataCoprocessorHost.java:168)
> at
> org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost$PhoenixObserverOperation.callObserver(PhoenixMetaDataCoprocessorHost.java:86)
> at
> org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.execOperation(PhoenixMetaDataCoprocessorHost.java:106)
> at
> org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost.preCreateTable(PhoenixMetaDataCoprocessorHost.java:168)
> at
> org.apache.phoenix.coprocessor.MetaDataEndpointImpl.createTable(MetaDataEndpointImpl.java:1900)
> at
> org.apache.phoenix.coprocessor.generated.MetaDataProtos$MetaDataService.callMethod(MetaDataProtos.java:17317)
> at
> org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8313)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2499)
> at
> org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2481)
> at
> org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42286)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:418)
> at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:133)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:338)
> at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:318)
> (state=08000,code=101)
> {noformat}
> That happens because in the MetaData endpoint implementation we are still
> using _SchemaUtil.getTableNameAsBytes(schemaName, tableName)_ for the mapped
> view which knows nothing about namespace mapping, so the ACL check is going
> against 'default:schema.table'. It could be fixed easy by replacing the call
> with _SchemaUtil.getPhysicalHBaseTableName(schemaName, tableName,
> isNamespaceMapped).getBytes();_
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
